Will We Ever Get Rid of Passwords?

The most frequently asked question posed to our technical leadership is “Will we ever get rid of passwords in our lifetime?” The answer entirely depends upon the generation you were born into and your ability to adapt to new technologies. When thinking about passwords, the concept of “air gaps,” authenticity and egress comes to mind. An air gap usually refers to a clustered network of systems that are not connected via a network to any external clusters. That is, there is a gap where you would have to jump through the air to get from one cluster to the next. Highly sensitive systems such as national security, power plants, electronic grids and the like have an air gap to defer any malicious intent from external threats. Authenticity is the ability to correctly and consistently identify a human.

We have relied upon passwords for more than 60 years to authenticate access to hardware, software and data resources. They have become less effective as the requirement to remember hundreds of accounts and associated passwords have resulted in “password overload.” The majorities of users use the same password for different accounts and are easily replicated. In fact, current techniques can break a small percentage of all passwords in less than 24 hours. Simple combinations of the user ID, email address, and required format can reveal a password. How many people capitalize the first letter of their password? How many people use a combination of their name and birthday?

Why have passwords been so successful for so long? Simply because there is no “air gap” between the brain memory cells and the entry of the password—it’s an egress action. The password is translated from chemicals and synapses into finger movements that result in the consistent authentication of the user. The system is broken when users reveal their password to a third party, they use passwords that are easily replicated, or a malicious object intercepts the passwords between the keyboard and the application.

New techniques require ingress methodologies that collect external information to authenticate a human. Examples of this would be fingerprint recognition, facial recognition, cooperative geo-location and retina scans. These methodologies require an external (ingress) application collecting data over an air gap. They’re far from foolproof and in most cases, can be compromised with conventional technology. They have had marginal success protecting low value assets as a stand-alone technology and have been most useful as an additional authentication mechanism for high-value assets. Any ingress application with an air gap will suffer from these qualities. The more these mechanisms approach sensory data, the greater the authentication consistency, e.g., looking for a pulse, moisture content, or blood pressure while conducting the external scan. Even these can be replicated—a recent Mythbusters episode was successful in breaking a sophisticated thumbprint scan with a short amount of work.

The next generation of authentication is focused on cooperative biometrics. Imagine a bracelet that is collecting electrical brain pulses, blood pressure, heart rate and electrocardiogram biometric data in conjunction with geo-location and endpoint data. The bracelet collects and characterizes the biometric data over time with an “always on” mentality. Monitoring sources know that this bracelet is attached to the same human being as it was last month because the historical data sets are similar. This is very hard to fake. Imagine a mischievous application that attempts to record and replay the data to “mirror” an authentication technique: It would have to have a history of biometric data and could not replay it exactly as this is easily detected. The collection mechanism and the “close but not exact” replay would be almost impossible. In essence, the longer the person wears the bracelet, the stronger the authentication mechanism.

There have been recent patents for devices that can be implanted within an individual for convenience, but there are significant privacy issues associated with biometric implants with medical and insurability consequences.

The current generation that has grown up with intelligent technology may be much more acceptable of cooperative biometrics and associated devices. Older generations willing to adapt to these new authentication mechanisms may also benefit from a password-less system. Will we ever get rid of passwords in our lifetime? I believe the answer is yes for those born into the intelligent device age.

IBM Systems Magazine is a trademark of International Business Machines Corporation. The editorial content of IBM Systems Magazine is placed on this website by MSP TechMedia under license from International Business Machines Corporation.